Internet-Draft                                                     anima
Intended status: standards-track                              March 2026
Expires: September 05, 2026


         Agent Task DAG: A Framework for Directed Acyclic Graph Execution in Multi-Agent Systems
         draft-agent-ecosystem-agent-task-a-00

Abstract

   As AI agent systems become increasingly complex, there is a
   growing need for structured approaches to orchestrate multi-step
   tasks across multiple autonomous agents. This document defines the
   Agent Task DAG (Directed Acyclic Graph) framework, which provides
   a standardized approach for representing, executing, and managing
   complex workflows in multi-agent environments. The framework
   addresses key challenges including task decomposition, dependency
   management, parallel execution, failure recovery, and human
   oversight integration. By building upon existing agent
   authorization profiles and task negotiation protocols, this
   specification enables agents to coordinate complex workflows while
   maintaining security, auditability, and the ability to incorporate
   human-in-the-loop decision points. The framework supports both
   fast execution in trusted environments and rigorous verification
   in regulated contexts through configurable assurance profiles.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   This document is intended to have standards-track status.
   Distribution of this memo is unlimited.

Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
   NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
   "MAY", and "OPTIONAL" in this document are to be interpreted as
   described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
   appear in all capitals, as shown here.

   Agent Task DAG
      A directed acyclic graph representing a complex workflow where
      nodes represent individual tasks and edges represent
      dependencies between tasks

   Task Node
      An individual unit of work within a DAG that can be executed by
      one or more agents

   Execution Context
      The runtime environment and state information associated with
      DAG execution, including agent assignments, intermediate
      results, and checkpoint data

   Checkpoint
      A persistent snapshot of DAG execution state that enables
      rollback and recovery operations

   Task Binding
      The association of a task node with specific agent capabilities
      or agent instances

   DAG Coordinator
      An agent or system component responsible for orchestrating the
      execution of a complete DAG workflow


Table of Contents

   1.  Introduction  ................................................  3
   2.  Terminology  .................................................  4
   3.  Problem Statement  ...........................................  5
   4.  Agent Task DAG Framework  ....................................  6
   5.  Task Execution Protocol  .....................................  7
   6.  Checkpoint and Recovery Mechanisms  ..........................  8
   7.  Integration with Existing Agent Protocols  ...................  9
   8.  Security Considerations  .....................................  10
   9.  IANA Considerations  .........................................  11
   10.  References  ..................................................  12

1.  Introduction

   The increasing sophistication of AI agent systems has created a
   demand for structured approaches to orchestrate complex, multi-
   step tasks across autonomous agents. While individual agents have
   become capable of handling sophisticated reasoning and execution
   tasks, real-world applications often require coordinating multiple
   agents to complete workflows that involve parallel processing,
   sequential dependencies, and dynamic task allocation. Current
   approaches to multi-agent coordination typically rely on ad-hoc
   communication patterns or simple request-response chains, which
   lack the expressiveness and reliability needed for complex
   enterprise and research applications.

   This document defines the Agent Task DAG (Directed Acyclic Graph)
   framework, which provides a standardized approach for
   representing, executing, and managing complex workflows in multi-
   agent environments. The framework builds upon existing agent
   protocols, particularly the Agent Authorization Profile [draft-
   aap-oauth-profile] for security and authorization, and agent task
   coordination mechanisms [draft-cui-ai-agent-task] for basic task
   execution. By representing workflows as directed acyclic graphs,
   the framework enables explicit modeling of task dependencies,
   parallel execution opportunities, and conditional branching while
   maintaining guarantees about workflow termination and consistency.

   The Agent Task DAG framework addresses several critical challenges
   in multi-agent systems: task decomposition and dependency
   management, efficient parallel execution across heterogeneous
   agents, robust failure recovery and rollback mechanisms, and
   integration of human oversight at critical decision points. The
   framework leverages structured claims for agent context [draft-
   aap-oauth-profile] to enable context-aware task assignment and
   supports agent context distribution mechanisms [draft-chang-agent-
   context-interaction] to maintain coherent state across complex
   multi-round workflows. This approach ensures that agents can
   coordinate effectively while maintaining security boundaries and
   audit trails required in enterprise environments.

   The specification is designed to be protocol-agnostic and can
   operate over various transport mechanisms including HTTP
   [RFC9110], message queuing systems, and specialized agent
   communication protocols. The framework integrates with existing
   OAuth 2.0 [RFC6749] and JWT [RFC7519] infrastructure through the
   Agent Authorization Profile, enabling seamless deployment in
   environments that already support agent authentication and
   authorization. The DAG representation follows JSON [RFC8259]
   encoding standards to ensure broad compatibility and easy
   integration with existing agent development frameworks.

   This document focuses specifically on the DAG execution framework
   and does not address broader questions of agent discovery,
   capability matching, or task marketplace mechanisms, which are
   covered by complementary specifications. The framework assumes the
   existence of agent authorization infrastructure and builds upon
   established patterns for agent-to-agent communication while
   providing the additional structure needed for complex workflow
   coordination.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
   NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
   "MAY", and "OPTIONAL" in this document are to be interpreted as
   described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
   appear in all capitals, as shown here.

   This specification builds upon terminology established in the
   Agent Authorization Profile [draft-aap-oauth-profile], AI Agent
   Task specifications [draft-cui-ai-agent-task], and Agent Context
   Interaction mechanisms [draft-chang-agent-context-interaction].
   The following terms are defined for use throughout this document:

   Agent Task DAG: A directed acyclic graph data structure
   representing a complex multi-step workflow where nodes correspond
   to individual tasks and directed edges represent dependency
   relationships between tasks. The DAG enforces execution ordering
   constraints while enabling parallel execution of independent task
   branches. Each DAG maintains metadata including creation time,
   ownership, and execution policies that govern how the workflow may
   be executed across multiple agents.

   Task Node: An individual unit of work within an Agent Task DAG
   that encapsulates a specific operation to be performed by one or
   more AI agents. Each task node contains task specifications,
   input/output schemas, execution constraints, and binding
   requirements that determine which agents are capable of executing
   the task. Task nodes maintain state information including
   execution status, assigned agents, and result data as defined in
   [draft-cui-ai-agent-task].

   Execution Context: The runtime environment and associated state
   information that governs the execution of an Agent Task DAG. The
   execution context includes agent assignments, intermediate task
   results, security credentials, operational constraints from Agent
   Authorization Profiles [draft-aap-oauth-profile], and distributed
   context information as specified in [draft-chang-agent-context-
   interaction]. The execution context ensures consistency and
   provides necessary information for task coordination across
   multiple agents.

   Checkpoint: A persistent, immutable snapshot of Agent Task DAG
   execution state captured at a specific point in time. Checkpoints
   contain the complete execution context, task completion status,
   intermediate results, and sufficient metadata to enable rollback
   and recovery operations. Checkpoints serve as recovery points for
   failure scenarios and decision points for human-in-the-loop
   interventions.

   Task Binding: The process and resulting association between a task
   node and specific agent capabilities or agent instances that will
   execute the task. Task binding considers agent authorization
   profiles, capability matching, resource availability, and security
   constraints. The binding process may be performed statically
   during DAG planning or dynamically during execution based on
   runtime conditions.

   DAG Coordinator: An agent or system component responsible for
   orchestrating the complete lifecycle of Agent Task DAG execution.
   The DAG Coordinator manages task scheduling, monitors execution
   progress, handles inter-agent communication, enforces security
   policies, and coordinates checkpoint and recovery operations. The
   coordinator maintains the authoritative view of DAG execution
   state and serves as the primary interface for human oversight and
   intervention.

3.  Problem Statement

   Current approaches to multi-agent task coordination suffer from
   several fundamental limitations that impede the development of
   robust, scalable autonomous systems. Existing coordination
   mechanisms typically rely on ad-hoc communication patterns, simple
   request-response protocols, or basic workflow engines that were
   not designed for the dynamic, autonomous nature of AI agents.
   While protocols like those defined in [draft-cui-ai-agent-task]
   provide foundations for individual task execution, they lack
   standardized approaches for managing complex workflows involving
   multiple interdependent tasks across heterogeneous agent
   populations. The Agent Authorization Profile [draft-aap-oauth-
   profile] establishes important primitives for agent identity and
   authorization, but does not address the orchestration challenges
   that arise when multiple authorized agents must coordinate to
   complete complex, multi-step objectives.

   The complexity of real-world AI agent applications demands
   structured approaches to task decomposition and dependency
   management that current protocols do not adequately address.
   Agents operating in domains such as scientific research, business
   process automation, or infrastructure management often require
   workflows where tasks have intricate dependencies, may execute in
   parallel when possible, and must handle partial failures
   gracefully. Without standardized mechanisms for representing these
   relationships, agent systems resort to brittle, custom
   coordination logic that is difficult to audit, debug, or modify.
   The lack of formal workflow representation also prevents effective
   human oversight integration, as stakeholders cannot easily
   understand or intervene in complex multi-agent processes.

   Agent Context Distribution mechanisms [draft-chang-agent-context-
   interaction] have demonstrated that context sharing among agents
   significantly impacts execution success rates, but current
   approaches do not provide systematic ways to manage context
   propagation through complex workflows. In multi-step processes,
   intermediate results from one task often serve as inputs to
   downstream tasks, creating context dependencies that must be
   carefully managed to ensure workflow integrity. Existing protocols
   lack standardized approaches for maintaining execution context
   across task boundaries, leading to information loss, redundant
   computation, and coordination failures that compromise overall
   system reliability.

   Fault tolerance and recovery represent critical gaps in current
   multi-agent coordination approaches. Real-world agent systems must
   handle various failure modes including agent unavailability, task
   timeouts, resource constraints, and partial execution failures.
   Without systematic checkpoint and recovery mechanisms, workflows
   often must restart completely when any component fails, leading to
   inefficient resource utilization and poor user experience. The
   absence of standardized rollback capabilities also complicates
   human intervention scenarios, where domain experts may need to
   modify workflow parameters or task assignments based on
   intermediate results or changing requirements.

   Scalability challenges emerge when current coordination approaches
   encounter workflows with dozens or hundreds of interdependent
   tasks distributed across multiple agent instances. Simple
   centralized coordination quickly becomes a bottleneck, while fully
   decentralized approaches struggle with consistency and deadlock
   prevention. The lack of standardized protocols for parallel task
   execution, resource allocation, and progress monitoring prevents
   agent systems from efficiently utilizing available computational
   resources. Additionally, without formal workflow representation,
   it becomes difficult to optimize task scheduling, predict resource
   requirements, or provide meaningful progress indicators to human
   stakeholders.

   These limitations necessitate a framework that provides:
   structured representation of complex workflows with explicit
   dependency management; standardized protocols for parallel
   execution and agent coordination; systematic checkpoint and
   recovery mechanisms that enable fault tolerance and human
   intervention; integration with existing agent authorization and
   context distribution mechanisms; and scalable execution patterns
   that can accommodate workflows ranging from simple sequential
   processes to complex parallel computations involving multiple
   agent populations.

4.  Agent Task DAG Framework

   This section defines the core data model and execution semantics
   for the Agent Task DAG framework. The framework provides a
   structured approach for representing complex multi-agent workflows
   as directed acyclic graphs, where individual tasks are modeled as
   nodes and dependencies between tasks are represented as edges. The
   data model builds upon existing agent protocol foundations while
   introducing specific constructs needed for distributed workflow
   orchestration.

   4.1. DAG Data Model

   An Agent Task DAG MUST be represented as a JSON object [RFC8259]
   that contains the complete specification of a workflow. The DAG
   structure consists of three primary components: metadata
   describing the overall workflow, a collection of task nodes
   representing individual units of work, and dependency
   relationships that define execution ordering constraints. Each DAG
   MUST include a unique identifier, version information, and
   execution parameters that govern how the workflow should be
   processed.

   Task nodes within the DAG represent atomic units of work that can
   be executed by autonomous agents. Each task node MUST specify its
   execution requirements, including required agent capabilities,
   input and output data schemas, and execution constraints such as
   timeouts or resource limits. Task nodes SHOULD reference
   standardized task types as defined in [draft-cui-ai-agent-task]
   where applicable, enabling interoperability across different agent
   implementations. The task specification MUST include sufficient
   information for agents to determine their capability to execute
   the task and negotiate execution parameters.

   Dependency relationships between task nodes are expressed through
   edge definitions that establish partial ordering constraints over
   the DAG. Each edge MUST specify source and target task nodes, with
   the semantic meaning that the target task cannot begin execution
   until the source task has completed successfully. Edges MAY
   include conditional execution logic, allowing for branching
   workflows based on the results of predecessor tasks. The framework
   supports both data dependencies, where output from one task serves
   as input to another, and control dependencies, where task ordering
   is required for correctness without direct data flow.

   4.2. Execution Context Management

   The Execution Context provides the runtime environment for DAG
   processing and maintains state information throughout workflow
   execution. The execution context MUST track the current state of
   each task node, intermediate results produced during execution,
   and metadata about agent assignments for each task. Context
   information SHOULD be distributed among participating agents using
   the mechanisms defined in [draft-chang-agent-context-interaction]
   to ensure consistent state visibility across the multi-agent
   system.

   Agent binding within the execution context associates task nodes
   with specific agent instances or agent capability requirements.
   The framework supports both static binding, where task assignments
   are predetermined before execution begins, and dynamic binding,
   where task assignments are resolved at runtime based on agent
   availability and capability matching. When integrated with Agent
   Authorization Profiles [draft-aap-oauth-profile], the execution
   context MUST validate that assigned agents possess the necessary
   authorization claims to execute their bound tasks.

   Checkpoint creation within the execution context enables
   persistent state management and recovery capabilities. The
   framework MUST support checkpoint creation at configurable
   intervals, capturing the complete state of DAG execution including
   task completion status, intermediate results, and current agent
   assignments. Checkpoints SHOULD be created automatically before
   task nodes that are marked as requiring human oversight, enabling
   rollback to known-good states when human intervention modifies the
   workflow execution path.

   4.3. Task Execution Semantics

   Task execution within the DAG framework follows a coordination
   model where a DAG Coordinator orchestrates workflow progress while
   individual agents execute assigned tasks autonomously. The
   coordinator MUST maintain the global view of DAG state and
   determine when task dependencies have been satisfied, enabling
   parallel execution of independent task branches. Task scheduling
   MUST respect dependency constraints while maximizing parallel
   execution opportunities to optimize overall workflow completion
   time.

   The framework defines specific execution states for task nodes
   including pending, ready, executing, completed, failed, and
   skipped. State transitions MUST be coordinated through the DAG
   Coordinator to ensure consistency across the distributed system.
   When a task transitions to the ready state, the coordinator SHOULD
   initiate agent assignment and task negotiation protocols to begin
   execution. Failed tasks MAY trigger rollback procedures or
   alternate execution paths depending on the configured failure
   handling policies.

   Integration with existing agent protocols occurs through
   standardized interfaces that abstract the underlying communication
   mechanisms. The framework MUST support protocol-agnostic bindings
   that allow integration with different agent discovery,
   authorization, and communication protocols. Task execution
   requests SHOULD include structured claims as defined in [draft-
   aap-oauth-profile] when agent authorization is required, ensuring
   that security and audit requirements are maintained throughout the
   distributed workflow execution.

5.  Task Execution Protocol

   The Agent Task DAG execution protocol defines a standardized
   approach for coordinating the execution of complex workflows
   across multiple autonomous agents. The protocol builds upon
   existing agent communication mechanisms and authorization
   frameworks, particularly the Agent Authorization Profile [draft-
   aap-oauth-profile], to enable secure and auditable workflow
   execution. The execution model supports both centralized
   coordination through a designated DAG Coordinator and distributed
   execution patterns where agents negotiate task assignments
   dynamically.

   The execution protocol operates through a series of well-defined
   phases: initialization, task scheduling, parallel execution, and
   completion verification. During initialization, the DAG
   Coordinator validates the workflow structure, resolves task
   bindings to available agents, and establishes the execution
   context. Task scheduling follows topological ordering of the DAG,
   with the coordinator identifying executable tasks (those with
   satisfied dependencies) and dispatching them to appropriate
   agents. The protocol supports parallel execution of independent
   tasks while maintaining strict dependency ordering through state
   synchronization mechanisms.

   Agent coordination during DAG execution relies on structured
   message exchanges that convey task assignments, status updates,
   and result propagation. Task assignment messages MUST include the
   complete task specification, execution context parameters, and any
   required authorization tokens following the Agent Authorization
   Profile format [draft-aap-oauth-profile]. Agents respond with
   acceptance confirmations that include estimated execution time and
   resource requirements. Status update messages provide real-time
   execution progress and MUST be sent at configurable intervals to
   enable failure detection and recovery operations.

   State synchronization across the multi-agent system is achieved
   through a combination of checkpoint mechanisms and distributed
   context sharing. The DAG Coordinator maintains the authoritative
   execution state, including task completion status, intermediate
   results, and dependency satisfaction tracking. Agent Context
   Distribution mechanisms [draft-chang-agent-context-interaction]
   are employed to efficiently share relevant context information
   among participating agents, reducing redundant data transfer while
   ensuring each agent has access to necessary execution context.
   Intermediate results from completed tasks are propagated to
   dependent tasks through structured result messages that preserve
   data lineage and enable audit trail construction.

   The protocol defines specific message formats for each phase of
   execution, using JSON [RFC8259] structures that can be embedded
   within existing agent communication protocols. Task execution
   requests include fields for task identification, input parameters,
   execution constraints, and callback endpoints for status
   reporting. Result messages contain structured output data,
   execution metadata, and quality indicators that enable downstream
   tasks to validate input requirements. Error and exception messages
   provide detailed failure information including error codes,
   diagnostic data, and suggested recovery actions.

   Parallel execution coordination addresses the challenges of
   resource contention and optimal scheduling across heterogeneous
   agent capabilities. The protocol supports both push-based task
   assignment, where the coordinator actively distributes work, and
   pull-based execution, where agents request tasks based on their
   availability and capabilities. Load balancing mechanisms consider
   agent capacity, current workload, and task affinity when making
   scheduling decisions. The protocol also defines procedures for
   dynamic rescheduling when agents become unavailable or when
   execution time estimates prove inaccurate, ensuring workflow
   completion despite individual agent failures.

6.  Checkpoint and Recovery Mechanisms

   The Agent Task DAG framework MUST provide robust checkpoint and
   recovery mechanisms to ensure workflow resilience and enable
   graceful handling of failures, interruptions, and human
   intervention points. Checkpoints represent persistent snapshots of
   the DAG execution state at specific points in the workflow,
   capturing sufficient information to resume execution from that
   point or rollback to a previous stable state. The framework
   defines three types of checkpoints: automatic checkpoints created
   at predefined intervals or task completion boundaries, explicit
   checkpoints requested by agents or human operators, and recovery
   checkpoints generated immediately before high-risk operations that
   may require rollback.

   Checkpoint creation MUST capture the complete execution context as
   defined in Section 4, including the current state of all task
   nodes, intermediate results, agent assignments, and security
   context derived from Agent Authorization Profiles [draft-aap-
   oauth-profile]. Each checkpoint MUST include a unique identifier,
   timestamp, DAG version, execution state hash, and references to
   any external resources or agent context information as specified
   in [draft-chang-agent-context-interaction]. The checkpoint data
   structure SHOULD be serialized using JSON [RFC8259] with optional
   compression for large state objects, and MUST be digitally signed
   to ensure integrity and authenticity. Checkpoints MAY be stored in
   distributed storage systems to ensure availability across multiple
   DAG Coordinators.

   The rollback procedure enables the DAG execution to revert to a
   previous checkpoint when failures occur or human intervention
   requires undoing completed work. When a rollback is initiated, the
   DAG Coordinator MUST notify all participating agents of the
   rollback operation, invalidate any results produced after the
   target checkpoint, and restore the execution context to the
   checkpoint state. Agents MUST acknowledge the rollback operation
   and may need to perform agent-specific cleanup operations such as
   releasing resources or notifying external systems. The rollback
   operation MUST preserve audit trails by maintaining records of
   both the original execution and the rollback event, ensuring
   compliance with security and regulatory requirements.

   Failure recovery strategies operate at multiple levels within the
   DAG execution framework, from individual task failures to complete
   coordinator failures. For task-level failures, the framework
   supports automatic retry with exponential backoff, task
   reassignment to alternative agents with compatible capabilities,
   and conditional continuation where dependent tasks may proceed
   with degraded inputs. When coordinator failures occur, recovery
   mechanisms leverage distributed checkpoints and coordinator
   election protocols to restore execution state on alternative
   infrastructure. The framework MUST support human-in-the-loop
   recovery scenarios where automated recovery is insufficient,
   providing interfaces for human operators to inspect checkpoint
   states, approve recovery actions, and inject corrective context
   information.

   The checkpoint and recovery mechanisms MUST integrate with the
   agent authorization framework to ensure that recovery operations
   maintain appropriate security boundaries and access controls.
   Recovery operations SHOULD verify that participating agents still
   possess valid authorization profiles and may require re-
   authentication if significant time has elapsed since checkpoint
   creation. The framework MUST provide configurable retention
   policies for checkpoints, balancing storage efficiency with
   recovery requirements, and MUST support secure deletion of
   checkpoint data containing sensitive information when retention
   periods expire or workflows complete successfully.

7.  Integration with Existing Agent Protocols

   This section describes how the Agent Task DAG framework integrates
   with existing agent authorization, discovery, and communication
   protocols to provide a comprehensive multi-agent workflow
   execution environment. The framework is designed to be protocol-
   agnostic while providing specific bindings for commonly used agent
   protocols, enabling organizations to adopt DAG-based workflows
   within their existing agent infrastructure.

   The DAG framework builds upon the Agent Authorization Profile
   (AAP) [draft-aap-oauth-profile] to establish secure task execution
   contexts. When a DAG Coordinator initiates workflow execution, it
   MUST obtain appropriate authorization tokens for each
   participating agent using the structured claims defined in AAP.
   The task context claim within the agent's JWT token includes the
   DAG identifier, task node assignments, and operational constraints
   specific to the workflow. This approach ensures that agents can
   verify their authorization to execute specific tasks within the
   broader workflow context while maintaining the delegation chains
   and human oversight requirements established in their
   authorization profiles.

   Agent discovery and capability matching for DAG execution
   leverages existing agent discovery protocols while extending them
   with DAG-specific metadata. Agents participating in DAG workflows
   SHOULD advertise their capabilities using structured capability
   descriptors that include supported task types, execution
   constraints, and checkpoint compatibility. The DAG Coordinator
   uses this information during the task binding process to assign
   task nodes to appropriate agents. When multiple agents are capable
   of executing a particular task type, the coordinator MAY use load
   balancing, geographic distribution, or other selection criteria to
   optimize workflow execution.

   Context distribution among agents executing DAG workflows follows
   the mechanisms defined in [draft-chang-agent-context-interaction],
   with specific extensions for DAG execution state management. The
   execution context for a DAG workflow includes the complete graph
   structure, current execution state, intermediate task results, and
   checkpoint metadata. Agents MUST receive sufficient context to
   execute their assigned tasks while minimizing the distribution of
   sensitive information to unauthorized agents. The framework
   supports both push-based context distribution, where the DAG
   Coordinator sends relevant context to agents before task
   execution, and pull-based approaches where agents request specific
   context elements as needed.

   The framework provides protocol bindings for common agent
   communication patterns including HTTP-based REST APIs [RFC9110],
   message queuing systems, and real-time communication protocols.
   Each binding specifies how DAG execution messages are encoded, how
   task results are reported, and how checkpoint operations are
   coordinated across the distributed agent environment. Protocol-
   specific considerations such as connection management, retry
   mechanisms, and error handling are addressed within each binding
   specification. For HTTP-based bindings, the framework defines
   standardized endpoints for task execution, status reporting, and
   checkpoint operations that can be implemented by any agent
   supporting the DAG execution protocol.

   Integration with existing agent task protocols [draft-cui-ai-
   agent-task] is achieved through task node adapters that translate
   between DAG task specifications and protocol-specific task
   representations. These adapters handle differences in task
   parameterization, result formatting, and execution semantics while
   preserving the dependency relationships and execution guarantees
   required by the DAG framework. The framework also supports
   integration with audit and compliance systems through standardized
   logging interfaces that capture task execution events,
   authorization decisions, and checkpoint operations in formats
   compatible with existing security and compliance tools.

8.  Security Considerations

   The Agent Task DAG framework introduces unique security challenges
   that extend beyond traditional single-agent systems. Multi-agent
   workflows create expanded attack surfaces through inter-agent
   communication channels, shared execution contexts, and distributed
   state management. Malicious actors may attempt to inject
   unauthorized tasks into DAG structures, manipulate task
   dependencies to create privilege escalation paths, or exploit
   checkpoint mechanisms to gain persistent access to workflow state.
   The distributed nature of DAG execution also amplifies risks
   related to agent impersonation, context poisoning, and
   unauthorized workflow modification during execution.

   Task authorization within DAG workflows MUST leverage the Agent
   Authorization Profile [draft-aap-oauth-profile] to establish fine-
   grained permissions for each task node. Each task node SHOULD
   include authorization requirements that specify which agent
   capabilities, delegation chains, and operational constraints are
   required for execution. The DAG Coordinator MUST verify that
   assigned agents possess valid JWT tokens with appropriate
   structured claims before initiating task execution. When tasks
   involve sensitive operations or access to protected resources,
   implementations SHOULD require fresh token validation rather than
   relying on cached authorization state. Multi-step workflows that
   span extended time periods MUST implement token refresh mechanisms
   to maintain security throughout DAG execution.

   Context isolation represents a critical security boundary in
   multi-agent DAG systems. Execution contexts MUST be isolated
   between different DAG instances to prevent information leakage and
   unauthorized access to intermediate results. Implementations
   SHOULD use cryptographic techniques to protect context data in
   transit and at rest, particularly when context distribution
   mechanisms [draft-chang-agent-context-interaction] are employed
   across network boundaries. Task nodes that handle sensitive data
   MUST implement appropriate data classification and handling
   controls, ensuring that context information is only accessible to
   authorized agents within the workflow. The framework SHOULD
   support configurable context sharing policies that allow
   administrators to define which context elements can be shared
   between tasks and which must remain isolated.

   Audit trail requirements for DAG execution are more complex than
   single-agent scenarios due to the distributed and potentially
   parallel nature of task execution. Implementations MUST maintain
   comprehensive logs that capture DAG initiation, task assignments,
   agent authorizations, execution outcomes, and any human
   intervention points. Audit records SHOULD include cryptographic
   signatures or integrity mechanisms to prevent tampering and
   support forensic analysis. The checkpoint and recovery mechanisms
   introduce additional logging requirements, as rollback operations
   and failure recovery attempts MUST be fully auditable.
   Organizations operating in regulated environments MAY require
   enhanced audit capabilities that provide real-time monitoring of
   DAG execution state and automated alerts for security policy
   violations.

   The integration of human oversight points within DAG workflows
   creates additional security considerations around authentication,
   authorization, and workflow integrity. Human operators MUST be
   properly authenticated before approving task continuations or
   modifying workflow parameters. The framework SHOULD support multi-
   factor authentication and role-based access controls for human
   intervention points. Implementations MUST ensure that human
   approval requirements cannot be bypassed through agent
   coordination or DAG manipulation. When human operators modify
   workflow parameters or approve exceptional conditions, these
   actions MUST be cryptographically signed and integrated into the
   workflow's audit trail to maintain end-to-end accountability.

9.  IANA Considerations

   This document introduces several new protocol elements and
   identifiers that require IANA registration to ensure global
   uniqueness and interoperability across implementations. The Agent
   Task DAG framework extends existing agent communication protocols
   with new message types, node classifications, and execution state
   identifiers that must be standardized for consistent
   implementation.

   The specification requires the establishment of a new "Agent Task
   DAG Parameters" registry to manage the various identifiers used
   within the framework. This registry MUST include sub-registries
   for DAG node types, edge relationship types, execution states,
   checkpoint types, and recovery action identifiers. Each sub-
   registry MUST follow the "Specification Required" registration
   policy as defined in [RFC8126], with designated experts reviewing
   submissions for technical correctness and consistency with the
   overall framework architecture. The registry MUST also accommodate
   extensions that integrate with existing agent authorization
   profiles as defined in [draft-aap-oauth-profile].

   A new "application/vnd.ietf.agent-task-dag+json" media type
   registration is REQUIRED for DAG workflow documents. This media
   type MUST reference this specification and follow the JSON format
   requirements specified in [RFC8259]. The media type enables proper
   content negotiation when agents exchange DAG definitions and
   execution state information. Additionally, new URI schemes "agent-
   dag:" and "agent-task:" are proposed for identifying DAG instances
   and individual task nodes respectively, requiring registration in
   the "Uniform Resource Identifier (URI) Schemes" registry
   maintained by IANA.

   The framework introduces new JWT claim names for representing DAG
   execution context and task bindings within agent authorization
   tokens, extending the structured claims mechanism defined in
   [draft-aap-oauth-profile]. These claim names MUST be registered in
   the "JSON Web Token Claims" registry established by [RFC7519]. The
   new claims include "dagid", "tasknode", "executioncontext",
   "checkpointref", and "recovery_state", each with specific semantic
   meanings within the DAG execution protocol. Registration of these
   claims ensures consistent interpretation across different agent
   implementations and authorization servers.

   Finally, new HTTP header fields "DAG-Execution-ID" and "DAG-
   Checkpoint" are introduced for coordination between agents during
   DAG execution. These headers MUST be registered in the "Hypertext
   Transfer Protocol (HTTP) Field Name Registry" as defined in
   [RFC9110]. The headers enable stateless coordination mechanisms
   and support the checkpoint and recovery procedures specified in
   this framework, while maintaining compatibility with existing
   HTTP-based agent communication protocols.

10.  References

10.1.  Normative References

   [RFC 2119]
         RFC 2119

   [RFC 8174]
         RFC 8174

   [RFC 8259]
         RFC 8259

   [RFC 7519]
         RFC 7519

   [draft-aap-oauth-profile]
         draft-aap-oauth-profile

   [draft-cui-ai-agent-task]
         draft-cui-ai-agent-task

   [draft-guy-bary-stamp-protocol]
         draft-guy-bary-stamp-protocol

10.2.  Informative References

   [RFC 6749]
         RFC 6749

   [RFC 9110]
         RFC 9110

   [draft-chang-agent-context-interaction]
         draft-chang-agent-context-interaction

   [draft-liu-dmsc-acps-arc]
         draft-liu-dmsc-acps-arc

   [draft-rosenberg-aiproto-framework]
         draft-rosenberg-aiproto-framework

   [draft-song-oauth-ai-agent-collaborate-authz]
         draft-song-oauth-ai-agent-collaborate-authz

   [draft-mao-rtgwg-apn-framework-for-ioa]
         draft-mao-rtgwg-apn-framework-for-ioa

   [draft-nandakumar-ai-agent-moq-transport]
         draft-nandakumar-ai-agent-moq-transport


Author's Address

   Generated by IETF Draft Analyzer
   Family: agent-ecosystem
   2026-03-04
